In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
CISA Warns of Commercial Spyware Targeting WhatsApp, Signal, and Other Messaging Apps
CISA has issued a new advisory outlining an ongoing wave of commercial spyware campaigns targeting users of encrypted mobile messaging applications such as WhatsApp and Signal. Threat actors are using zero-day exploits, zero-click attacks, and impersonation techniques to deliver mobile spyware capable of harvesting communications, monitoring activity, and deploying additional payloads. While attacks remain opportunistic, evidence shows a consistent focus on high-value individuals across government, military, political, and civil society sectors.
Context
Encrypted messaging applications are widely used for sensitive communications. Their security depends on both application-level protections and mobile device integrity. Commercial spyware vendors have increasingly developed capabilities to bypass these protections, often exploiting device vulnerabilities before patches exist.
CISA’s advisory consolidates multiple threats reported throughout the year, reflecting a broader trend: mobile platforms remain high-priority targets for nation-state actors and commercial surveillance groups.
What Happened
CISA’s alert highlights several documented spyware campaigns:
Spyware delivered through WhatsApp to Apple device users
Android spyware “Landfall” targeting Samsung phones
Russian threat actors abusing Signal’s linked-devices feature for live message access
NSO Group spyware activity involving WhatsApp
Android spyware ClayRat, ProSpy, and ToSpy disguised as legitimate messaging apps
Attackers rely heavily on social engineering and device-level exploits to access victim communications and deploy secondary malicious components.
Technical Breakdown
CISA emphasizes the following techniques:
Zero-day exploits: Attacks leveraging vulnerabilities unknown to the vendor, allowing remote compromise before patches are available.
Zero-click exploits: Payloads delivered without user interaction, often through messaging apps or system services.
Masquerading malware: Spyware distributed as counterfeit versions of popular messaging apps, especially on Android.
Abuse of account linking: Exploiting features like Signal’s “linked devices” to clone message streams in real time.
Post-exploitation payloads: Spyware often acts as an entry point to install additional surveillance tools or persistence mechanisms.
Impact Analysis
While campaigns remain broadly opportunistic, CISA reports a strategic targeting pattern:
Government, military, and political figures
Civil society organizations (CSOs)
Journalists, activists, and researchers
Individuals in the United States, Middle East, and Europe
The risks include exposure of sensitive communications, location tracking, credential theft, and long-term device compromise.
Why It Matters
Mobile devices are primary communication endpoints for high-value individuals. Commercial spyware has evolved to bypass app-level encryption by compromising the device itself, where decrypted content is accessible. As spyware becomes easier for threat actors to acquire, organizations must shift from app security alone to full mobile ecosystem protection.
Expert Commentary
Security researchers note that the commercial spyware industry continues to blur the line between state and non-state capabilities. The use of zero-click and impersonation techniques lowers the barrier for targeted surveillance and increases the difficulty of detection. Experts stress:
Continuous device patching
Restricting sideloaded apps
Reviewing linked device permissions
Using mobile threat defense tools
Training high-risk users on targeted social engineering
Key Takeaways
Spyware campaigns are targeting WhatsApp, Signal, and other messaging platforms.
Attackers are using zero-day, zero-click, and impersonation-based delivery methods.
High-value individuals across multiple regions are primary targets.
Mobile devices remain a critical exposure point despite encrypted messaging apps.
CISA urges at-risk users to follow updated security guidance for mobile protections.